Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Mozilla EU Firefox Security The Internet

Mozilla Might Distrust Dutch Government Certs Over 'False Keys' (bleepingcomputer.com) 112

Long-time Slashdot reader Artem Tashkinov quotes BleepingComputer: Mozilla engineers are discussing plans to remove support for a state-operated Dutch TLS/HTTPS provider after the Dutch government has voted a new law that grants local authorities the power to intercept Internet communications using "false keys". If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate Authority (CA)...

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic. Such covert technical capabilities include the use of "false keys," as mentioned in Article 45 1.b, a broad term that includes TLS certificates.

"Fears arise of mass Dutch Internet surveillance," reads a subhead on the article, citing a bug report which notes, among other things, the potential for man-in-the-middle attacks and the fact that the Netherlands hosts a major internet transit point.
This discussion has been archived. No new comments can be posted.

Mozilla Might Distrust Dutch Government Certs Over 'False Keys'

Comments Filter:
  • by mellon ( 7048 ) on Sunday November 05, 2017 @02:20PM (#55494573) Homepage

    This is a tough question, because arguably corporate-held keys aren't trustworthy either, but if we are to trust government keys, we need to know what the terms of governance are, and in general we don't. In the U.S., for example, government eavesdropping rules are secret. So trusting a PKI cert issued by the U.S. government is crazy. Of course, governments can also often compel private industry, and as we've seen, private industry can also engage in corrupt practices or careless practices. Honestly, PKI is pretty rickety.

    • by Anonymous Coward

      It makes sense to trust government keys when communicating with the government that issues them.

      • by sjames ( 1099 ) on Sunday November 05, 2017 @02:37PM (#55494641) Homepage Journal

        The problem is the whole system is set up so you either trust a key signer for any key they sign or you don't trust them at all. There isn't currently a mechanism where you can conditionally trust a key signed by a government.

        • by Anonymous Coward on Sunday November 05, 2017 @03:03PM (#55494739)

          True, the current system is and always had been broken by design. It only takes one foul apple to spoil the whole dish.

          • by sjames ( 1099 )

            Worse, most of the brokenness including not being able to sign sub-certs with a cert from my primary domain and the lack of conditional trust are driven by the desire to sell more certs rather than security concerns or technical limitations.

        • Right, but the US government doesn't issue certificates for anyone else. In the Dutch case, however, I do support removing trust.

          • by sjames ( 1099 )

            It's a matter of who they MIGHT create a fake cert for if they want to snoop. Are you sure you would trust relax.trust.us.gov to never ever issue a fake cert for gmail.com even if the FBI says pretty please and pinky swears they'll get a warrant eventually?

            • This is exactly right. If a browser trusts a signing authority, that authority can sign for any domain.

            • With that said, we know the supposed intent is to only sign for *.gov, so browsers should only trust the CA for that TLD. This is a good time to evaluate all similar CAs in this way.

              • by sjames ( 1099 )

                That goes back to my original statement. Browsers really should be able to conditionally trust a CA like that, and users should be able to set conditions on trust, but no browser has either feature currently. It should be part of the standard, but that might have cut into sales so it was right out of the question.

            • by jrumney ( 197329 )

              Are you sure you would trust relax.trust.us.gov to never ever issue a fake cert for gmail.com even if the FBI says pretty please and pinky swears they'll get a warrant eventually?

              This is why public key pinning must be removed [slashdot.org] in future versions of Chrome, and the ability to check the details of a certificate has already been well buried within the developer tools UI.

        • At least for browsers you can add an exception for the gov't certs that you trust.

          • by sjames ( 1099 )

            You can add exceptions for individual certs, but only if you either blindly trust them or use an external mechanism to validate the signature. But you can't, for example, set the browser to trust a cert signed by the U.S. government ONLY if the cert is for a domain in *.gov.

        • by syzler ( 748241 ) <(ten.kedzys) (ta) (divad)> on Sunday November 05, 2017 @09:46PM (#55496387)
          However if crypto toolkits would finally implement and actually validate certificates using "DNS-Based Authentication of Named Entities" (DANE) [ietf.org], then all of this is moot since the DNS operator for a site would be able to specify which specific TLS key is being used by the site with a few DNS records. A government entity wouldn't be able to man in the middle a TLS connection without either cracking the TLS keys themselves or by compromising the the root DNS server keys.
          • by sjames ( 1099 )

            That would raise the bar considerably.

          • by jrumney ( 197329 )

            all of this is moot since the DNS operator

            By DNS operator, you mean the government agency in control of the endpoint to which you are connecting, right?

      • A goverment might want to spy - so don't trust government keys for yor terror/revolution plans.

        Corporate keys are even worse, they might sell access to the highest bidder. Such as your competitors - or governments. Governments have their agendas, but rarely sell out.

      • by mellon ( 7048 )

        This is absolutely true, but if it's a PKI signing key, trust is binary, so that's not one of the options (correct me if I'm wrong here—this is my understanding).

    • by Kjella ( 173770 )

      If it's important enough you obviously shouldn't trust any third party to verify anyone's identity, but if I don't know who you are should I start fingerprinting and DNA testing you or should I ask for a driver's license or passport? It's a bit the same with websites, for the most part I'm satisfied with a CA backing the claim. The alternative is that I have no clue, because there's no practical way for me to verify everything in person.

      • by AHuxley ( 892839 )
        An encryption watch setting that shows if more than average use, requests, networking suddenly starts with .gov encryption?
        Some sort of extension in FF that tells a user any gov cert is been used on a non .gov/mil site more than expected?
        A question that asks a user if they are in the EU and/or expect to communicate a lot with EU governments?
        If a third party is tracking encrypted .com. net and .org sites with the user and the user never visited an EU nations .gov site?
    • The current system with the hierarchy where a single CA is the only one deemed trustworthy enough is broken since a long time. A new solution is necessary where cross-signing with multiple CAs on a single certificate is necessary to measure how trustworthy a certain certificate is.

      Done correctly this would ensure that a single CA isn't able to hold the full key for signing either. This would of course require a completely different architecture in the trust structure.

      In addition to this - the keys used to g

      • by mellon ( 7048 )

        You don't need to split the key to do this, so this is actually not that hard. A simple matter of standardization... :)

      • A new solution is necessary where cross-signing with multiple CAs on a single certificate is necessary to measure how trustworthy a certain certificate is.

        That sounds awfully like PGP's web of trust. Which, come to think of it, isn't a bad idea.

    • Let's shorten the question a bit:
      Does it make sense to trust any govt?

      Well... one could argue that it makes sense to trust the Dutch govt, as they are clearly announcing that they will abuse their authority to issue certificates.
      Actually I find that an extremely stupid move.
    • by tsa ( 15680 )

      In the US gouvernment eavesdropping rules may be secret but at least they seem to have rules they stick by. Being a Dutch citizen and having read about the ways of our government, I would not be surprised if this law that we will get now (of which many dictators will be mighty jealous. Even the FBI was impress with what we can do) just legalises only a part of the ways my gouvernment uses to eavesdrop and spy on its people.

    • by jrumney ( 197329 )
      Not trusting any foreign government's CA is probably an easy starting point. Not trusting your own government's CA will probably make it difficult to file taxes, renew passports and any other interaction you need to do with your own government though, so while the threat of them eavesdropping on your communication is probably highest, it is more difficult to mitigate without side-effect. PKI used to be quite good when there were half a dozen trusted certificates in Netscape's default CA store. But for at
  • by Opportunist ( 166417 ) on Sunday November 05, 2017 @02:26PM (#55494597)

    This is what happens when you try to pull a stunt like this.

    Certificates are based on a system of trust. I trust a certificate because the issuer promises that it belongs to the party it was issued to. If that party now not only has the ability but also the obvious intent to intercept and snoop on traffic, the certificate is intrinsically untrustworthy. Because it can easily be used for such nefarious applications.

    The Netherlands just made all their certificates along with every certificate issuing company under their jurisdiction untrustworthy.

    • by AmiMoJo ( 196126 )

      They should distrust all certificate authorities in countries where there are secret legal means to force the creation of bogus certificates, e.g. the UK.

      The whole system needs replacing but while we have to work with it it's important to take a firm stance on not allowing governments to interfere with or subvert it.

    • by cstacy ( 534252 ) on Sunday November 05, 2017 @06:46PM (#55495729)

      This is what happens when you try to pull a stunt like this.

      Certificates are based on a system of trust. I trust a certificate because the issuer promises that it belongs to the party it was issued to. If that party now not only has the ability but also the obvious intent to intercept and snoop on traffic, the certificate is intrinsically untrustworthy. Because it can easily be used for such nefarious applications.

      The Netherlands just made all their certificates along with every certificate issuing company under their jurisdiction untrustworthy.

      What makes anyone think that certain various intelligence agencies (such as those in the USA and Europe in general) do not already have the means to sign "false certificates"? Through government intimidation, secret procedures, etc. In what way are the corporate-based CAs not secretly influenced by the government(s)?

      • by Opportunist ( 166417 ) on Sunday November 05, 2017 @07:01PM (#55495777)

        Too high a risk to take.

        Blanket use of forged certificates would make it near impossible that such behaviour isn't eventually noticed, which would instantly lead to the whole certificate chain system coming down.

        If anything, such a tool would be used very carefully for high profile targets.

  • Referendum (Score:2, Informative)

    by Anonymous Coward
    Btw, Netherlands will hold a referendum on this new surveillance law, so Mozilla's action is warranted https://www.reuters.com/articl... [reuters.com]
    • Re: (Score:3, Informative)

      by bokkepoot ( 143872 )

      Btw, Netherlands will hold a referendum on this new surveillance law

      The referendum to be held is only valid if 30% of the eligible voters actually vote, and even if it is valid, it is (only) an advisory referendum.

      Also, 2 of the major parties have already spoken out as to ignore the results of the referendum, whatever they may be, and continue with this surveillance law.

      • That's ok. Most Dutch also ignore what these two parties say.

        • Sadly they are in government...
          • You say this like it mattered.

            The more governments act against the interests of their subjects, the less said subjects feel obliged to heed their laws. Or report those that break them.

            This is, by the way, one of the reasons the East Bloc fell. In the end people felt more committed to their fellow sufferers than their government.

            • We're a long way off from that point. Especially since there's a sizable silent majority who think they "have nothing to hide"
              • But they also don't want to get involved with government. My neighbor is stealing public property? I'd rather not get involved, it's not like it's my business.

          • by tsa ( 15680 )

            Next time they won't be.
            The thing with having untrustworthy gouvernments and a democracy is that diring the next elections the people always punish the parties for their behaviour. This results in difficult formations and absolutely no possibility of long term planning. Which means the Netherlands are now way behind in education, technology and are far below even the US with regard to doing battling climate change.

  • We have been existing for a long time without https, but now we want a certificate for everything, even places where is trust isnâ(TM)t needed. One of the issues I see is that there is a difference between trust and encryption, but the average user may not make the distinction.

    Also, to the average user it isnâ(TM)t clear who the third party they are trusting is and whether they are any more trustworthy. This leads to the risk of blind trust and the consequences that go with it. A bit like afreeing

    • I have no idea who hosts the server, and I have no need to trust them. It is useful though if I know that they're the source of the data.

      This encryption isn't about trusting the other party you agreed to exchange network data with, it is about trust in the network pipe itself!

      • Except we are moving towards a situation where the "site" is just a front for CDN's (Content Delivery Networks): CloudFlare, AWS, Google AMP, etc, etc.

        • The "site" can also be sitting behind a proxy server - which can delivery "content" from anywhere for the domain in question.

          Claiming there is any real trust in this house of cards is almost laughable.

    • For sites where trust isn't needed, that's only true when there's not a mitm attack and/or fake ads, fake downloads, or even something as simple as an email subscribe form where you don't want information in the wrong hands.

    • In this time of fake news, https based communication is more important than ever. Less even for the encryption part.

      Encryption, despite what most people think, is only the side effect. The main, far more important, aspect is to verify that I am actually talking to whom I think I'm talking to. Encryption means exactly nothing if I cannot determine whether a MitM is taking place.

      And neither does it mean anything if I get information from someone without the ability to verify that whoever I'm talking to is act

    • by Z34107 ( 925136 )

      Also, to the average user it isn't clear who the third party they are trusting is and whether they are any more trustworthy.

      Blindly trusting a third party, or even a small number of third parties, is still a huge improvement over blindly trusting a far greater (but unknown) number of third parties. Quit being lazy and fix your website.

    • > One of the issues I see is that there is a difference between trust and encryption, but the average user may not make the distinction.

      There actually isn't much difference, in use cases TLS is normally used for. Or more specifically, you can't usefully have one without setting up the other. To have useful encryption you must identify the other party, and to trust their identity you must have, at minimum, cryptographic signatures of the your personal challenge key with server's key and the data (at w

  • So far this law is a proposal and it needs to be passed by parliament.

    After some seven months of negotiations we've (the Dutch) just received a new coalition government based on four parties.
    For some inexplicable reason they all believe this is a good plan though it looks like majority of the population is not convinced.
    An advisory referendum will be held but one of the larger parties already announced they would ignore the outcome.

    This government has a parliamentary majority of one and I would be su
    • by Calydor ( 739835 )

      Then it only makes sense that Mozilla are already now telling the Dutch government what the consequences will be of their actions, while it's still possible to simply abandon the proposed law.

  • by WaffleMonster ( 969671 ) on Sunday November 05, 2017 @03:11PM (#55494775)

    It's good to see more governments acting to grant themselves the ability to overtly subvert PKI on a global basis while Google is busy removing the only technology standing any chance of offering end users a clue.

    • What about "Expect-CT" ?

      If a site is using Expect-CT, the mis-issued certificate would need to be added to a publicly verifiable append-only log or if the header mysteriously went missing, it gets reported.

      • What about "Expect-CT" ?

        What about an experimental draft no browser supports? This isn't even a standards track document.

        If a site is using Expect-CT, the mis-issued certificate would need to be added to a publicly verifiable append-only log or if the header mysteriously went missing, it gets reported.

        Section 4 of draft-ietf-httpbis-expect-ct-02
        "Site operators could themselves only cure this situation by one of:" ...
        "obtaining a certificate from an alternative certificate authority". ...

        This doesn't fix the problem of states controlling CAs - it ignores it completely.

        One RFC gives users control over what is valid while a different experimental draft intentionally takes it away.

        Anyone can submit a poem about

        • Supported by Blink and enabled by default in Chrome 61 and Opera 48. Mozilla has publicly voiced their support for it and are currently developing support for it.
          https://www.chromestatus.com/f... [chromestatus.com]

          It stops any CA from mis-issuing a certificate without first publicly declaring so. They have to submit their certificate to a public log before they use it. They can't remove it from the log.

          • It stops any CA from mis-issuing a certificate without first publicly declaring so. They have to submit their certificate to a public log before they use it. They can't remove it from the log.

            PKP gives operators control over what CAs are considered valid by FORCE.

            This is Expect-CT
            https://www.youtube.com/watch?... [youtube.com]

            They are not the same things. Not even close.

            • PKP doesn't stop your CA from issuing another certificate to anyone else.
              It also makes it hard to change CA's.

              It also makes is possible for an attack to have long lasting impacts on your website. If someone gains access to your web server, they can install their own certificate and set the HPKP header to a large value. Everyone who now visits the website will be unable to access it using any other CA that what the attacker chose.

              All it takes is one disgruntled employee.

              It's a very easy to fuck up system wit

  • by jonwil ( 467024 ) on Sunday November 05, 2017 @03:48PM (#55495009)

    There are a number of proposals out there for alternatives that would supplant or replace CAs as the root of trust on the web. Storing keys in DNS via DNSSEC and DANE for one .EFF Sovereign Keys proposal. And I swear there are others but I cant find any right now.

    Right now we are in a situation where any one of who knows how many CAs can produce a valid certificate for a web site without the web site even knowing it (and can do so for any number of reasons including a rogue employee, a government or government agency forcing them to do it or a hacker compromising the system and stealing the keys as happened to another Dutch CA, DigiNotar)

    Why has there been no interest in supporting these alternatives that eliminate the possibility of CAs producing bogus certificates?

    • The issue comes down to trust. If someone controls your pipe, even DNSSEC wonâ(TM)t help.

      If you use it, then you have to trust the root DNS servers, which are generally controlled by the U.N. and thus by extension the US/UK etc.

      The system we have now allows you to at least selectively trust one or more CA and itâ(TM)s relatively easy to take the trust out, if you put it in DNS and the DNS goes rogue or is exploited, then you canâ(TM)t trust anything anymore.

      What should happen is that CA adver

    • by AHuxley ( 892839 )
      Re "Why has there been no interest in supporting these alternatives that eliminate the possibility of ... bogus ...?"
      The same reason why decades ago the world trusted the Data Encryption Standard.
      Why the internet generation did not block/find/expose/stop/publish about/detect the gov/mil with PRISM https://en.wikipedia.org/wiki/... [wikipedia.org]
      The world wants a GUI and and easy internet from site the site.
      The 5 eye gov/mil wants access to all consumer grade crypto to collect it all.
      I hope this kind of gov decryptio
  • This is why Dutch people should vote pirate party. The pirate party has been opposing these kind of regulations since it's inception, for good reasons. If they would get only one seat in the dutch house of parliament (tweede kamer) that would mean having the chance to be heard instead of years long silence in this digital age. Why would you let technology-scared people rule the future?
  • This is only tangentially related, but it needs to be reposted at least once a year.

    BlackHat USA 2011: SSL And The Future Of Authenticity [youtube.com] — Moxie Marlinspike

    Hilarious Comodo story begins around 5 m mark.

    Slide at 10:48 has only become funnier in the meantime.

  • If they remove the dutch CA, then they should also remove every american CA as they have the same duty to obey to create certificates if an US government agency asks them to (and in most cases aren't even able to talk about it).. So blocking the dutch CA is only a very hypocritical move if they don't do it with other CA's.
  • Thank god the Dutch have no living experience with a mass-murdering dictatorship that would abuse such power to maintain its power, and the last time they did was so distantly remote in the past that they can so rest assured of it never happening again that they can hand over such power for prosaic crimes and never fear a loss of freedom again!

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...